“Back to Basics: using analogue and manual methods to counter cyber threats.” (From our Forum.)

Text originally published by Timothy Ogden on the Cyber Secure Central Forums.

In the realm of cyber security, the use of pens and paper is usually a sign that something has gone badly wrong, and that the victims of the attack — be it in the form of a hostile takeover, or the forced installation of malware or ransomware — are resorting to physical means as a last resort in the hopes of keeping operations going. As previously reported on these pages, an international Norwegian company which suffered a catastrophic ransomware assault was forced to trawl through decades of paper files in order to perform tasks which are now entirely in the province of automation, as well as bring in retirees who had worked for the firm before the days of machines labour.

Yet now, the use of anachronistic methods is being touted as an impenetrable line of defence against cyber threats. The concept came to prominence in the summer of 2018, when the local Alaskan government of Matanuska-Susitna suffered a cyber attack. However, office staff had practiced using pen and paper to resume operations in such an eventuality, and so daily operations were able to continue relatively unhindered. “Having these plans and being able to go to paper and pen and manual methods was very helpful,” Eric Wyatt, the Matanuska-Susitna Borough IT director said. “We could keep our doors open and continue to provide service to our citizens.”

This notion is somewhat out of step with conventional cyber defence doctrine, which dictates that cutting-edge attack software can only be prevented from having an effect by equally cutting-edge countermeasures. However, since 2018, the idea has gained traction; later that year, a US congressional hearing was directly advised to consider the scheme by Kevin Mandia, chief executive of the FireEye cyber security firm. “[Government agencies should be required] to develop and carry out continuity-of-operations plans that practice, even for just 24 hours, going without Internet connectivity while continuing critical functions,” Mandia said.

In response to Mandia’s address, Senator Maggie Hassan told The Washington Post: “Emergency preparedness including carrying out drills and real-life exercises can help save lives when terrorist attacks or natural disasters occur, and cyber attacks are no different,” Hassan said. “Both the public and private sectors need to conduct training, simulations and planning for cyber attacks — and drills to practice not having Internet access for 24 hours are worth considering.”

Just how seriously the US government is taking the suggestion is arguably best demonstrated by the fact that the National Security Agency, one of America’s principle intelligence agencies, is using ‘retro’ methods to secure critical national infrastructure (CNI) against cyber attacks. The employment of analogue and manual technology is to be introduced prior to the 2020 presidential election, the 2016 race having been plagued by accusations of foreign interference.

“This approach seeks to thwart even the most sophisticated cyber-adversaries who, if they are intent on accessing the grid, would have to actually physically touch the equipment, thereby making cyber attacks much more difficult,” said a press release as the Securing Energy Infrastructure Act, (SEIA), passed the Senate floor.

When introducing the bill in 2016, U.S. Senators Angus King (I-Maine) and Jim Risch (R-Idaho) said: “Specifically, it will examine ways to replace automated systems with low-tech redundancies, like manual procedures controlled by human operators.”

While the approach has its detractors, its effectiveness cannot be yet denied, despite the possible need for a return to hiring more manual labour. So far, the concept has been limited to US government application, but it is perhaps something alternative for cyber security firms in the private sector to consider.

Disclaimer

The content of this article does not reflect the official opinion of Cyber Secure Central. Responsibility for the information and views expressed in the article lies entirely with the author(s).